DOTS Y. Hayashi
Internet-Draft NTT
Intended status: Experimental K. Nishizuka
Expires: April 18, 2019 NTT Communications
October 15, 2018
DDoS mitigation offload usecase and YANG module expansion in signalchanneldraft-h-dots-mitigation-offload-expansion-00
Abstract
This document describes a DDoS Mitigation offload usecase and an
expansion of the YANG module in the DOTS signal channel for
mitigating DDoS attack traffic correctly with general routers or
switches. The proposed usecase and YANG module enhance DOTS
capability to send attacker information and enable service providers
to mitigate DDoS attack traffic by using general routers or switches
in their intra-domain NW.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 18, 2019.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Hayashi & Nishizuka Expires April 18, 2019 [Page 1]

Internet-Draft draft-h-dots-mitigation-offload-expansion October 2018
[I-D.ietf-dots-signal-channel], which enables a service provider's
network to mitigate attack traffic correctly in the usecase.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
[RFC2119]
The readers should be familiar with the terms defined in
[I-D.ietf-dots-requirements] [I-D.ietf-dots-use-cases]
The terminology related to YANG data modules is defined in [RFC7950]
In addition, this document uses the terms defined below:
Mitigation offload: Getting rid of a DMS's mitigation action and
assigning the action to another entity when the utilization rate
of the DMS reaches an inacceptable level.
DDoS attackers: Devices that carry out DDoS attacks.
Utilization rate: A scale to measure load of an entity such as link
utilization rate and CPU utilization rate.
Top Talker: A top N list of attackers who attack the same target.
The list is ordered in terms of a two-tuple bandwidth such as bps
or pps.
3. DDoS Mitigation Offload Usecase
The purpose of this usecase is to protect intra-domain network from
volume-based DDoS attacks automatically, cost-effectively, and
vendor-independently. The usecase is inherited from the DDoS
Orchestration usecase in [I-D.ietf-dots-use-cases] and works on an
intra-domain network.
Figure 1 and Figure 2 show a component diagram and C-plane sequence
diagram of the usecase, respectively.
Hayashi & Nishizuka Expires April 18, 2019 [Page 3]

Internet-Draft draft-h-dots-mitigation-offload-expansion October 2018
When the volume-based attack becomes intense, DMS's utilization rate
can reach maximum capacity. Then the DMS sends a DOTS mitigation
request to the orchestrator as an offload request with the detection
information. After that, the orchestrator requests the routers or
switches to block attack traffic to the DMS by dissemination of flow
specification rules protocols such as BGP flowspec [RFC5575] on the
basis of the detected information.
4. Expansion of DOTS Signal Channel
It is desirable that the routers or switches mitigate attack traffic
correctly after the DMS sends a DOTS Mitigation Request as an offload
request in the usecase described in Section 3. For mitigating attack
traffic correctly, this document proposes expanding DOTS signal
channel [I-D.ietf-dots-signal-channel] so that it can send not only
target information but also representative attacker information such
as top talker. Note that it is difficult to send all attacker
information because there is an enormous number of attackers when a
volume-based DDoS attack occurs.
This section describes expansion of the YANG module [RFC7950] and
mapping parameters to CBOR [RFC7049] of the DOTS Signal Channel.
4.1. Expansion of YANG Module of DOTS Signal Channel
Figure 3 shows an expanded YANG Module of the DOTS Signal Channel.
Note that the "augment" statement allows a module to insert
additional nodes into existing data models. The module defines a new
grouping "attacker" and adds the grouping to an existing Signal
Channel module by using an "augment" statement.
module ietf-dots-signal-channel-mitigation-offload-expansion {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:
ietf-dots-signal-channel:mitigation-offload-expansion";
import ietf-dots-signal-channel {
prefix signal;
}
import ietf-inet-types {
prefix inet;
}
organization
"IETF DDoS Open Threat Signaling (DOTS) Working Group";
Hayashi & Nishizuka Expires April 18, 2019 [Page 6]